ETHOS Issue 26, Nov 2023
The need for timely quality health information
Health information is vital for the provision of safe and good quality of care for patients. A key challenge, however, is obtaining accurate and complete details of previous healthcare consultations across a wide variety of settings. Some patients may be on multiple medications, have had multiple laboratory tests done, have visited different healthcare providers, or simply cannot recall previous diagnoses or prescriptions. Where such information is vital for the care of the patient, it can take a significant amount of time for doctors to obtain these from other practitioners, especially if they
all have different medical record systems. As a result, clinical investigations into a patient’s condition may be delayed, or the patient may be asked to repeat certain tests, at their own additional expense.
To overcome these issues, the Ministry of Health (MOH) has been looking into improving the infrastructure through which health information can be collected and shared, allowing information to flow in real time to improve the overall continuity of care. In 2011, a system was developed to share a selected set of electronic medical records within the public healthcare system. Patients who visit different departments within a public hospital, or different public hospitals, could now draw on this centralised set of health records. Today, this National Electronic Health Record (NEHR) system allows healthcare professionals to be able to view their patients’ selected health information at any point in time when they are in the public healthcare system.
MOH had planned to extend the use of this system to the entire healthcare sector. However, the 2018 SingHealth cybersecurity incident, which resulted in 1.5 million individuals’ personal particulars being stolen, put a halt to these plans while MOH worked on further strengthening cybersecurity measures. While we were doing this, the COVID pandemic hit us, which pushed many healthcare providers to go digital. This made it more urgent to improve the collection and use of health information. We thus revived our plans and started conceptualising the Health Information Bill, an important regulatory framework to enable and support the digitalisation of our healthcare system. This was ﬁrst announced in March 2022 and is still under development: the Bill is set to undergo public consultation by end of the year, and targeted to be read and ratiﬁed in Parliament in the ﬁrst half of 2024.
It can take a significant amount of time for doctors to obtain information from other practitioners.
Regulatory shifts for a
new healthcare paradigm
The Health Information Bill has three broad objectives:
1. The Bill mandates that any licensed healthcare provider, whether public or private, must contribute selected patient health information into the NEHR. Any Singaporean, Permanent Resident or Long-Term Pass holder who is seen by a healthcare practitioner in any part of the Singapore healthcare system—be it a hospital, private clinic, dental clinic, dialysis centre or nursing home—will have a set of their health information entered into the national NEHR database. Correspondingly, healthcare providers will be able to access this key information when required to ensure patients receive holistic, seamless, safer and more informed care. The type of data to be contributed will be tailored depending on who the licensed providers are and what information is useful for care. We are also looking into whether other providers, such as retail pharmacies and home nursing services, could also contribute useful information.
More comprehensive information for better medical care
The National Electronic Health Record (NEHR) serves as a one-stop repository of key patient health information, so that our public and private healthcare providers can offer more informed, complete care. NEHR helps ensure seamless care transitions are maintained, even as a patient moves across different care providers in Singapore’s healthcare system.
Take the example of an elderly patient, Mr X:
Mr X, who has suffered a fall, hitting his head and hurting his knees, is admitted to hospital. Upon admission, he feels dizzy and cannot respond clearly to doctors’ questions about whether he has any prior medical conditions or drug allergies. So Mr X’s doctors decide to check his NEHR entry, which has documented the relevant information from previous visits to his GP as well as past admissions to hospital, to help them determine the proper care he should be given.
After a few days, Mr X is well and is discharged. He must continue rehabilitation, as well as receive home medical services from his GP for his wounds. To provide better follow-up care for Mr X, his care providers access the NEHR to better understand his hospitalisation episode. It has a record of his hospital discharge summary, which includes helpful information such as the radiological tests performed and medications prescribed.
2. The Bill facilitates the sharing of certain patient health information among MOH, speciﬁc care providers and partners for approved purposes such as ensuring seamless continuity of care, enabling assessment of eligibility for ﬁnancial schemes and reaching out to residents for national healthcare programmes such as Healthier SG.
3. The Bill stipulates data security and cybersecurity standards to safeguard health information. This is vital to assure the public that their personal health information is safe. Healthcare
providers will be required to put in place appropriate cybersecurity measures to ensure that their systems for collecting, storing, and sharing health data are secure. For example, healthcare providers will need to implement firewalls in their network, install antivirus software , institute two-factor authentication features on their computer systems containing sensitive information, and ensure that their staff are well-trained in cybersecurity practices. Proper data access controls will also be required, so that staff are granted access to the health information only if their role requires it. We will also stipulate that healthcare providers use IT vendors with appropriate security safeguards built in their products and services, and have a proper incident escalation plan to notify the authorities in the event of any suspected data or cybersecurity breaches.
These three broad provisions facilitate the safe storage and appropriate sharing of health data across the healthcare system, to assure continuity of care for patients, in a trustworthy and secure manner.
Underlying all of these objectives is patient autonomy. Individuals will be able to block all healthcare providers from accessing their records on NEHR and limit the sharing of their healthcare information, if they so wish. The health information generated from interactions will still be contributed to NEHR to ensure continuity of care should patients decide to allow access again in future, with no gaps or disruption to their NEHR records.
The existing ethical code for all doctors states that disclosure of medical information without patient consent is acceptable in a medical emergency where patients are unable to provide consent, if the doctor deems that the actions taken is in the patient's best interest. To this end, the Bill will contain a safeguard where a doctor may initiate ‘emergency access’ to a patient’s NEHR. The doctor will have to professionally justify the need for such access, and may be subject to penalties if this is later found to be unjustiﬁed.
Assuring the security of patient data in clinics
Since medical clinics can access patient records through NEHR, they need to have safeguards in managing this sensitive data.
To illustrate, say we have a family doctor’s Clinic Z:
Clinic Z understands that its employees serve as the ﬁrst line of defence in data security, and can also be the weak link. The clinic ensures that its employees undergo periodic cyber and data security awareness training. This is supported by publicly available cybersecurity toolkits from the Cyber Security Agency of Singapore (CSA)’s website. The clinic’s employees can stay up-to-date on the latest security best practices and behaviours, through self-learning materials on basic cyber and data security hygiene practices, structured training conducted by external vendors, and internal simulated phishing exercises.
Clinic Z also uses a Clinic Management System (CMS) to support their patient care. It ensures, through the IT vendors it employs, that the CMS includes appropriate technical measures to protect the sensitive patient data on record. Such measures include anti-malware scans, appropriate ﬁrewalls and audit logs.
Like many offices, Clinic Z uses various IT assets such as desktops, laptops, or mobile devices in their day-to-day operations. The clinic keeps an up-to-date inventory of all IT assets. This helps it to track what needs to be protected, including all hardware, software and connected medical devices, and where these assets are at all times.
Clinic Z has also developed and implemented policies and processes to ensure that access to relevant patient data is regulated and only accorded to the staff who needs access for their work, depending on their role in the clinic.
Nonetheless, Clinic Z acknowledges that cyber attacks and data loss is a matter of when and not if it happens. As such, Clinic Z establishes a proper cyber and data incident response plan to clarify how it will mitigate the impact of an incident, recover from it quickly and ensure business-critical services can continue, so that patient care is not compromised.
Getting ready for the bill
MOH will be conducting a public consultation on the Bill in December 2023, before ﬁnalising it and then bringing it to Parliament in the ﬁrst half of 2024. Enacting the Bill is only the start: it is to signal the need for us to digitalise the healthcare system and enhance continuity of care for patients. We are also developing guidelines and other support mechanisms to help the healthcare sector get ready for this change, which may take one or two more years. It is best to wait for most people to be ready, nudge them along the way, before beginning to enforce the new requirements. This will give us time to get everyone on board and avoid disrupting care and services.
This Bill will have both upstream and downstream implications for other public agencies. There are medical or related records in different Ministries— such as the Ministry of Defence, for instance. We are engaging with these Ministries to ensure that the sharing, access and use of any health data within NEHR will be in accordance with the prescribed use cases, and to address any further concerns that may arise.
Digital systems are helpful tools but not replacements for the doctor-patient relationships.
In addition, there are several groups that we have been engaging and must continue to. For the general public, we will communicate the beneﬁts of sharing health information, and to assure them that their privacy, conﬁdentiality, and security concerns will be looked after. They need to know that not just anyone can go in to access healthcare data, and that we will also take serious action against anyone who breaches our information or cybersecurity regulations.
For our healthcare providers, particularly the smaller providers, it is a matter of dollars and cents: digitalising systems can be costly. To help the smaller players, we are calibrating requirements accordingly and developing grants and implementation support schemes, as well as a whitelist of accredited IT vendors, to ease transition. For practitioners who may not be familiar with using digital platforms, we are suggesting that their pen-and-paper record systems could be transcribed and digitised, so that they can come on board as well. We are also developing a training curriculum to ensure that healthcare providers and their staff are equipped with the capacity to ensure proper cybersecurity and data practices in their work.
In our initial closed-door consultations with medical practitioners last year on the Bill, we also heard concerns about increased medical liability simply because a patient’s medical history is now going to be much more accessible. We also realised that healthcare professionals were not consistently aware of the potential of the NEHR. We therefore formed a workgroup, comprising representatives from various healthcare professional associations and lawyers, to develop a set of guidelines for the appropriate contribution, access and use of NEHR information to beneﬁt patient care. We have consulted on these guidelines with the professional associations through surveys and focus group discussions and are working on reﬁning these for publication next year, in tandem with the reading of the Bill.
Our medical practitioners will not be expected to access NEHR for every medical consultation: they should continue to use professional judgement to decide when to do so to supplement or augment their clinical decision-making. Good history-taking and physical examination are still fundamental requirements; digital systems are helpful tools but not replacements for the doctor-patient relationship. Because medical practitioners may be liable for complaints about their care provision, they should maintain proper documentation in their IT systems. Even if there may be a perceived increased risk of discovery of care lapses, there may not be added liability due to the increased visibility of care provision from NEHR. At the same time, patients cannot expect their doctors to look up every detail of their medical history in NEHR and bear full responsibility for any poor outcomes. Patients should still take ownership of their own health and medical history by offering good history when seeking medical attention.
Unlocking future potential for population wellbeing
It is our hope that the health information collected and shared through this initiative will beneﬁt patients in unprecedented ways at both the individual and population levels. At the individual level, patients can have better and more complete care. At the aggregate level, health information can present beneﬁts for public health research, planning and intervention, such as informing on disease trends correlated with risk factors such as age groups, socio-economic status, geographical location and so on. But these beneﬁts can only be reaped when the information is adequately anonymised and robust safeguards are put in place.
As we reach out to the public in shaping the Health Information Bill, we want to hear from public officers from different sectors and different disciplines, and your policy perspectives on this issue. Since public officers are ourselves patients too, we would also want to hear your thoughts on what implications you may envisage for yourselves or your family members. You can help us make this Bill more robust, harness the promise and opportunities that health information holds to better serve Singaporeans in their healthcare needs.
Details on public consultation for the Bill will be made known soon. To share your views, write to us at HIA_enquiries@moh.gov.sg